One thing that many developers are not aware of is that WordPress automatically adds magic quotes to request variables. This means that all quotes, backslashes and null-byte characters will be escaped with a backslash.

Even if you disable magic quotes in php.ini, WordPress will apply them to $_GET, $_POST, $_COOKIE and other superglobals anyway. If you ever notice unexpected slashes showing up in your input data, this is why.

The function that enables magic quotes is called wp_magic_quotes(). It is declared in /wp-includes/load.php and called in /wp-settings.php, shortly after WordPress finishes loading plugins.

So how do you access the clean, un-escaped data? Unfortunately, it is not possible to completely turn off WordPress magic quotes without editing core files. However, since WordPress adds magic quotes after all plugins have been loaded, you can simply grab the unmodified variables while your plugin is loading (or in the “plugins_loaded” action) and store a local copy for your own use. Here’s an example:

Now you might be wondering: why go to all this trouble with copying built-in PHP variables when you could continue using them as normal and just run stripslashes() on any input data? There are several reasons:

Sooner or later, you’re going to forget to call stripslashes()somewhere. This can lead to hard-to-find bugs.

Code duplication. Why spread the backslash-stripping code through-out your entire codebase when you could put it in one place?

Forward compatibility. If the WordPress team ever decides to stop emulating this deprecated PHP misfeature, plugins and themes that indiscriminately apply stripslashes() to all input data will suddenly break.

That said, I wouldn’t count on WordPress dropping this “feature” any time soon. It’s a matter of backwards compatibility, and sometimes it seems WordPress considers compatibility more important than encouraging good programming practices.